<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>iRedAdmin-Pro: Domain ownership verification</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="iredadmin-pro-domain-ownership-verification">iRedAdmin-Pro: Domain ownership verification</h1>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Check out the lightweight on-premises email archiving software developed by iRedMail team: <a href="https://spiderd.io/">Spider Email Archiver</a>.</p>
</div>
<div class="toc">
<ul>
<li><a href="#iredadmin-pro-domain-ownership-verification">iRedAdmin-Pro: Domain ownership verification</a><ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</a></li>
<li><a href="#how-to-verify-domain-ownership">How to verify domain ownership</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="summary">Summary</h2>
<p>Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
normal domain admin permission to create new mail domains. All new domains
added by normal domain admin require domain ownership verification by deafult,
to ensure:</p>
<ul>
<li>the newly added mail domain name is a valid domain name on internet</li>
<li>the domain admin have the required privileges in the domain to manage the
  email services</li>
</ul>
<p>Mail services are disabled for pending domains, and will be activated
automatically after admin verified the ownership.</p>
<h2 id="how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</h2>
<p>There're few parameters used to control domain ownership verifivation, you can
find default settings in file <code>libs/default_settings.py</code> under iRedAdmin-Pro
directory. If you want to change any of them, please copy the parameter to
iRedAdmin-Pro config file <code>settings.py</code>, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.</p>
<pre><code># Require domain ownership verification if it's added by normal domain admin:
# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True

# How long should we remove verified or (inactive) unverified domain ownerships.
#
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
# Admin won't frequently remove and re-add same domain name, so it's ok to
# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30

# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'

# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
</code></pre>
<h2 id="how-to-verify-domain-ownership">How to verify domain ownership</h2>
<p>There're several ways to verify domain ownership:</p>
<ul>
<li>
<p>Create a text file under top directory of the web site of new domain, both
  file name and file content must be same as verify code.</p>
<p>For example, for pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, iRedAdmin-Pro will
verify 2 URLs:</p>
<ul>
<li>http: <code>http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
<li>https: <code>https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
</ul>
<p>If you visit the URL with a web browser, it's expected to display verify
code as page content.</p>
</li>
<li>
<p>Create a TXT type DNS record of the domain name, use the verify code as its
  value.</p>
<p>For example, for pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
<code>nslookup -type=txt example.com</code> should return a record which is same as
verify code.</p>
</li>
</ul>
<p>Sample DNS query with <code>nslookup</code>:</p>
<pre><code>$ nslookup -type=txt example.com
...
example.com     text = &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
...
</code></pre>
<p>Sample DNS query with <code>dig</code>:</p>
<pre><code>$ dig -t txt example.com
...
iredmail.org.       4173    IN  TXT &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
...
</code></pre><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>